There’s never a good time to receive an alert that one of your accounts has been hacked. That’s the reality for a large number of T-Mobile customers this week following a short-lived attack on the company’s network.
According to the notice posted by T-Mobile on its website, the suspicious activity took place this Monday. Hackers managed to breach a database by exploiting a vulnerable API — or application programming interface, which is a set of software building blocks that make it easier for developers to access data or technologies when creating an app.
T-Mobile cyber security staff detected the attack a short time after it began. In a statement to Motherboard, a T-Mobile spokesperson said that “less than 3%” of the company’s roughly 76 million subscribers was accessed. Limiting the damage to such a small percentage is certainly a positive… but it still means that roughly 2 million T-Mobile customers were impacted.
The company’s announcement states that customers’ names, billing zip codes, phone numbers, email addresses and account numbers may have been exposed. The particular API that the hackers exploited was not, however, wired in to any payment card data. Social security numbers and passwords were also not accessible via the API.
To its credit, T-Mobile has moved just as quickly to notify affected customers in the wake of the breach. As we’ve seen before, companies don’t always put customers first when dealing with a hack. Some have waited several months before disclosing a breach. Thankfully, legislators have passed breach notification laws to encourage prompt, responsible disclosure.